The modern CISO's guide to navigating new SEC cyber regulations
The U.S. Securities and Exchange Commission (SEC) regulations requiring reporting of a material cybersecurity breach within four days have taken effect. As we progress through 2024, CISOs are going to face the harsh reality of needing to consistently demonstrate and attest to the fidelity of their cybersecurity program.
The outdated method of “buying every tool to protect every vulnerability” will simply fail. Without a clear vision of your threat exposure, security teams will be left feeling overwhelmed with the specific task of addressing known risks, often leading to a game of cybersecurity whack-a-mole -- addressing risk after risk with no real light at the end of the tunnel in sight.
Navigating the complex role of the CISO under SEC disclosure rules
I’ve led security functions and established cybersecurity board reporting processes for over 25 years. The relationship between CEOs and CISOs has always held contradictions and the decisions around when to disclose a breach have always been hard. But the recent developments involving the SEC and SolarWinds is a regulatory game-changer for the CISO community. Still, I think we’ll all ultimately come out OK from this if we behave ethically.
New ethical lines are being drawn very quickly and publicly as teams figure out the lines between good judgment and fraud. I have no intention of moralizing here about the SEC’s allegations against SolarWinds and their CISO. Rather, I’d like to shine a light on the underlying principles of disclosure that have served as my own ethical compass, and which I think remain unchanged.